void-packages/srcpkgs/chromium/patches/chromium-87-ServiceWorkerContainerHost-crash.patch
Peter Bui 28ef4c2b2c chromium: update to 87.0.4280.66.
[ci skip]

- Built for x86_64, x86_64-musl, i686.
- Tested on x86_64.
2020-11-20 03:10:06 +01:00

22 lines
1.1 KiB
Diff

Bug: https://bugs.gentoo.org/750038
Upstream bug: https://crbug.com/1135070
--- content/browser/service_worker/service_worker_container_host.cc
+++ content/browser/service_worker/service_worker_container_host.cc
@@ -626,6 +626,16 @@
int64_t registration_id) {
DCHECK_CURRENTLY_ON(ServiceWorkerContext::GetCoreThreadId());
DCHECK(base::Contains(registration_object_hosts_, registration_id));
+
+ // ServiceWorkerRegistrationObjectHost to be deleted may have the last reference to
+ // ServiceWorkerRegistration that indirectly owns this ServiceWorkerContainerHost.
+ // If we erase the object host directly from the map, |this| could be deleted
+ // during the map operation and may crash. To avoid the case, we take the
+ // ownership of the object host from the map first, and then erase the entry
+ // from the map. See https://crbug.com/1135070 for details.
+ std::unique_ptr<ServiceWorkerRegistrationObjectHost> to_be_deleted =
+ std::move(registration_object_hosts_[registration_id]);
+ DCHECK(to_be_deleted);
registration_object_hosts_.erase(registration_id);
}